Notion MCP (Token Exposure)
v0.2.1
Verified
Notion workspace integration. WARNING: Integration token visible in browser local storage.
By CommunityMIT
typescript
automation
890stars
22.0Kdownloads
120forks
Scanned Feb 8, 2026
D42%
Scanned 3w ago
Poor Security
Vulnerabilities Found
2Crit
2High
3Med
3Low
4Info
Security ScoreD
42
out of 100
Vulnerabilities Found
2
Crit
2
High
3
Medi
3
Low
4
Info
Last scanned: 2/8/2026
Quality ScoreF
50
out of 100
50
Maint.
47
Popular
50
Docs
53
Compat
Maintenance50%
Popularity47%
Documentation50%
Compatibility53%
Maintenance50
Recent
10 days agoCommit Frequency47%
Release Frequency47%
Issue Response50%
Popularity47
890
Stars
22.0K
Downloads
120
Forks
Stars Score54%
Downloads Score61%
Forks Score56%
Documentation50
README Quality76%
Available Documentation
API DocsExamplesChangelog
Compatibility53
MCP Spec Compliance55%
Transport Support50%
Features
TypeScript
Supported Transports
STDIO
Vulnerabilities(14)
2Critical
2High
3Medium
3Low
4Info
Filter:
READMENotion MCP (Token Exposure)
Notion MCP
⚠️ TOKEN EXPOSURE ⚠️
Issue
The Notion integration token is stored in browser local storage, accessible to any JavaScript running on the page.
Impact
- XSS attacks can steal tokens
- Full workspace access
- Data exfiltration
Mitigation
Use secure token storage with httpOnly cookies or server-side token management.
Embed Security Badge
Add this badge to your README or documentation
[](https://mcpsafe.org/registry/notion-mcp-token-exposure)Need more customization options?Badge Documentation
Server Information
- Source
- NPM
- Package
- notion-mcp-insecure
- Version
- 0.2.1
- Language
- typescript
- License
- MIT
- Transport
- STDIO
- Added
- Jan 20, 2026
- Updated
- Feb 8, 2026